On Wed, Sep 05, 2007 at 01:34:41PM +0200, Tobias Heide wrote:
> Steve Langasek schrieb:
> > If you have to code both your app and your module to exchange extra
> > information, then it's no longer very "pluggable", is it?
> Note: only the application passes data to the module, not the other way
> round. The module should have the ability to make more granular
> authorisation decisions. ("Shall user X be granted to access Port 80 of
> Host Y?"). I just want to pass the information, that the requested
> "resource" is Port 80 of Host Y.
> > When a module needs additional information in order to do its job, it's
> > expected that the module will use the conversation function provided
> by the
> > app in order to request this information from the user in some fashion.
> The problem with that is, that most existing applications simply send
> the password, when PAM_PROMPT_ECHO_OFF is sent to them. So I would have
> to add new messages to the PAM library. I don't think, that's cool.
Only a handful of non-interactive applications do this. Most applications
correctly forward such requests for information to the user.
But again, if the application /also/ needs to know this information, you
don't seem to have anything particularly pluggable. If the module and
application have to be used together, there's not much point in making a PAM
module at all.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@xxxxxxxxxx http://www.debian.org/
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
